Update to version 9.2.0707.
Changes:
- patch 9.2.0707: completion: popup misplaced when text before it is concealed
- runtime(doc): document Solaris as supported OS
- runtime(dtrace): handle DTrace probe highlighting before action blocks
- patch 9.2.0706: tests: test_terminal3 may fail when $SHELL is zsh
- runtime(beancount): Add support for non-ASCII account names
- patch 9.2.0705: :delete # silently fails to update "# and clobbers "0
- patch 9.2.0704: GTK4: not handling mouse events
- patch 9.2.0703: session file does not store relative Vim9 autoload imports
- patch 9.2.0702: :windo and :tabdo create an extra window with 'winfixbuf'
- runtime(fennel): Update Last Update header
- runtime(fennel): add more ";" comment leaders to 'comments'
- patch 9.2.0701: tests: test_terminal.vim does not wait for job to finish
- patch 9.2.0700: configure: -lrt requirement for timer_create not detected
- nsis: Remove NSIS Installer Code
- patch 9.2.0699: [security]: possible code execution with python complete
- patch 9.2.0698: [security]: Out-of-bounds write with soundfold()
[122 lines not shown]
wg(4): Add a test case for too many allowed IP address ranges.
PR kern/60232: kernel panic when adding a wireguard peer with too
many allowed IP addresses
wg(4): Add test case for bad ephemeral handshake public keys.
wg(4) should not crash on an assertion if they appear on the network;
it should just gracefully drop them as forgeries, if a MITM attempted
to send them without knowledge of a peer's public key, or accept
them, if a peer legitimately sent them, since that peer could just as
well simply forward the plaintext of the session on to the NSA.
PR kern/60106: wg(4) should properly handle invalid or insecure
ephemeral Curve25119 public keys
wg(4): Add test case for bad peer public keys.
wg(4) should not crash on an assertion if they are used -- it should
just gracefully accept them, with degraded security, since a peer
that maliciously provides an invalid public key is no worse than a
peer that voluntarily exposes all its plaintext anyway.
PR kern/60106: wg(4) should properly handle invalid or insecure
ephemeral Curve25119 public keys
Break out and expand FDT property parsing for awge(4) FDT attachment
frontends
This uses the device tree's possible burst length bus interface settings,
and improves performance on, for instance, Rockchip RK3399
cad/py-PyRTL: Update to 1.0.0
Changelog:
1.0.0:
Added
* PyRTL Floating point library (@gaborszita)
* Registers can be constructed with a State IntEnum to simplify construction
of state machines.
Changed
* Improved CompiledSimulation's performance.
* output_to_verilog now supports custom module_names. (@devmam999)
* Minor improvements to wire_struct and wire_matrix.
* Minor improvements to WaveDrom output.
* Many documentation improvements.
Fixed
[4 lines not shown]
py-filelock: update to 3.29.4.
What's Changed
verify inode in break_lock_file before unlinking a stale lock by @dxbjavid in #561
keep the read/write heartbeat alive on a transient touch error by @dxbjavid in #562
py-cryptography: update to 49.0.0.
49.0.0 - 2026-06-12
BACKWARDS INCOMPATIBLE: Support for x86_64 macOS has been removed. We now only publish arm64 wheels for macOS.
BACKWARDS INCOMPATIBLE: Support for 32-bit Windows has been removed. Users should move to a 64-bit Python installation.
BACKWARDS INCOMPATIBLE: Removed the deprecated PUBLIC_KEY_TYPES, PRIVATE_KEY_TYPES, CERTIFICATE_PRIVATE_KEY_TYPES, CERTIFICATE_ISSUER_PUBLIC_KEY_TYPES, and CERTIFICATE_PUBLIC_KEY_TYPES type aliases. Use PublicKeyTypes, PrivateKeyTypes, CertificateIssuerPrivateKeyTypes, CertificateIssuerPublicKeyTypes, and CertificatePublicKeyTypes instead. These were deprecated in version 40.0.
BACKWARDS INCOMPATIBLE: :class:`~cryptography.hazmat.primitives.ciphers.algorithms.ChaCha20` now treats the first 4 bytes of the nonce as a 32-bit little-endian block counter (as defined in RFC 7539) and tracks the number of bytes processed. Attempting to encrypt or decrypt more data than the counter allows before it would overflow now raises a :class:`ValueError` rather than silently diverging from RFC 7539. Setting the counter portion of the nonce to zero allows encrypting up to 256 GiB with a given nonce.
BACKWARDS INCOMPATIBLE: Loading an X.509 certificate whose ECDSA or DSA signature AlgorithmIdentifier contains encoded NULL parameters now raises a :class:`ValueError`. Such certificates are invalid, but older versions of Java emitted them; previously they loaded with a deprecation warning.
Fixed cross-compilation of the CFFI bindings when PYO3_CROSS_LIB_DIR is set. The build now derives the Python include directory from PYO3_CROSS_LIB_DIR instead of querying the host interpreter, which previously caused the build to fail during cross-compilations for embedded systems, on hosts which have same-version Python development headers installed as the target Python.
Added support for signing and verifying X.509 certificates, certificate signing requests, and certificate revocation lists with :doc:`/hazmat/primitives/asymmetric/mldsa` keys, as well as loading certificates that contain ML-DSA public keys.
Added :meth:`~cryptography.hazmat.primitives.hpke.KEM.enc_length` to :class:`~cryptography.hazmat.primitives.hpke.KEM` so callers can split the encapsulated key from the ciphertext returned by :meth:`~cryptography.hazmat.primitives.hpke.Suite.encrypt`.
:meth:`~cryptography.x509.verification.ExtensionPolicy.require_present`, :meth:`~cryptography.x509.verification.ExtensionPolicy.may_be_present`, and :meth:`~cryptography.x509.verification.ExtensionPolicy.require_not_present` now accept any extension type. Previously only a fixed set of extension types was supported, which made it impossible to account for otherwise unrecognized critical extensions during path validation.
Added support for using :class:`~cryptography.x509.Certificate`, :class:`~cryptography.x509.CertificateSigningRequest`, and :class:`~cryptography.x509.CertificateRevocationList` as field types in :doc:`/hazmat/asn1/index` structures.
Added :func:`~cryptography.hazmat.asn1.value_set`, a class decorator that registers an :class:`enum.Enum` subclass as an ASN.1 value set: members are encoded as their underlying value, and decoding fails if the decoded value does not match one of the declared members.
Added :meth:`~cryptography.x509.Name.from_bytes` for parsing a :class:`~cryptography.x509.Name` from DER bytes, the inverse of :meth:`~cryptography.x509.Name.public_bytes`.
Added the rsa_padding keyword-only parameter to :meth:`~cryptography.x509.CertificateBuilder.public_key`. Passing the :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` class (not an instance) encodes an RSA subject public key in the certificate's subjectPublicKeyInfo with the id-RSASSA-PSS OID and no parameters.
Added external mu (message representative) support to :doc:`/hazmat/primitives/asymmetric/mldsa` via the sign_mu and verify_mu methods, which sign and verify a precomputed 64-byte mu as defined in FIPS 204.
py-OpenSSL: update to 26.3.0.
Backward-incompatible changes:
Dropped support for Python 3.8.
The minimum cryptography version is now 49.0.0.
Removed deprecated OpenSSL.crypto.X509Req, OpenSSL.crypto.dump_certificate_request, and OpenSSL.crypto.load_certificate_request. cryptography.x509 should be used instead.
OpenSSL.SSL.Connection.set_session now raises ValueError if the Session was obtained from a Connection that was using a different Context than this one. OpenSSL requires (but does not verify) that sessions only be re-used with a compatible SSL_CTX, so this contract is now enforced.
Deprecations:
Deprecated OpenSSL.crypto.PKey.generate_key and OpenSSL.crypto.PKey.check. The key generation and loading APIs in cryptography should be used instead.
Deprecated OpenSSL.crypto.dump_privatekey. The serialization APIs on cryptography private key types should be used instead.
[9 lines not shown]